Cyber crime group claims successful attack on security firm, crows about it on Telegram – but it was all an elaborate honeypot

Notorious cyber crime group Scattered LAPSUS$ Hunters has been left red-faced after boasting about a data breach that turned out to be a honeypot.

The group posted screenshots on Telegram, which have since been taken down, claiming to have gained full access to systems belonging to cybersecurity firm Resecurity.

As reported by DataBreaches, the post claimed Scattered LAPSUS$ Hunters had gained access to all internal chats and logs, employee data such as names and email addresses, as well as threat intelligence and client lists.

"They go around telling companies they will 'protect' them from cyber attacks, sell expensive services, act like experts... but in the end, just like we did with CrowdStrike and the FBI, they got fully owned :(((," crowed the group.

The gloating by the cyber crime group was short-lived, however, with Scattered LAPSUS$ Hunters having fallen victim to a honeypot campaign conducted by researchers at Resecurity.

How the honeypot worked

In November, the company detected a threat actor attempting to conduct malicious activity, sniffing around various publicly facing services and applications. It also targeted one of the company's employees who had no sensitive data or privileged access.

"Understanding that the actor is conducting reconnaissance, our team has set up a honeytrap account. This led to a successful login by the threat actor to one of the emulated applications containing synthetic data," said the company in a blog.

"While the successful login could have enabled the actor to gain unauthorized access and commit a crime, it also provided us with strong proof of their activity."

The honeypot scheme used synthetic data – purposely generated data with the patterns and characteristics of real-world data, but that doesn't contain any actual proprietary information.

In this case, this data included more than 28,000 synthetic consumer records and over 190,000 synthetic payment transaction records.

"In the context of threat hunting, previously breached data can be highly effective for designing deception models that appear extremely realistic and attract threat actors," said Resecurity.

"For example, a purposely planted honeypot — containing realistically looking (but practically useless) records — can motivate threat actors to attempt to steal it."

Patience is a virtue

Researchers at Resecurity waited, and on December 12 the group resumed activity, making more than 188,000 requests attempting to dump the synthetic data over the next two weeks. It then aimed to scrape the data using malicious automation.

At one point, the threat actor inadvertently disclosed their real IP addresses. This misstep, along with other mistakes, allowed Resecurity to identify the exact servers being used for automation, despite the use of lists of residential IP proxies to spoof the source.

"The group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot," Resecurity said. "In fact, we are dealing with their rebranded version, which calls itself "Scattered Lapsus$ Hunters," due to the alleged overlap between the threat actors ShinyHunters, Lapsus$, and Scattered Spider."

According to Resecurity, information on the threat actors acquired through the campaign has been provided to law enforcement agencies investigating the group.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.